Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to temporarily disable XSS protection in modern browsers for testing?

Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?

I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:

<script>alert("Danger");</script> 

However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?

like image 472
richardkmiller Avatar asked Oct 17 '12 04:10

richardkmiller


People also ask

Does Chrome block cross-site scripting?

On July 15, Google announced that the XSS Auditor module that protects Chrome users against Cross-site Scripting attacks is to be abandoned. It was found to be easy to bypass, inefficient, and causing too many false positives.

How can XSS be prevented?

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. Encode data on output.

What is XSS filter?

Cross-site scripting (XSS) is a computer security vulnerability that allows malicious attackers to inject client-side script into web pages viewed by other users. You can use the Cross-site Scripting Filter setting to check all HTTP GET requests sent to IBM® OpenPages® with Watson™.


1 Answers

In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:

--disable-web-security  
like image 189
Zachary K Avatar answered Sep 28 '22 01:09

Zachary K